Jump to content

  • Log In with Google      Sign In   
  • Create Account


#Actualyewbie

Posted 25 October 2012 - 05:21 PM

Use parameterized queries. Don't just concatenate strings together to make your SQL statements.


Here is what I am currently doing, does this count as a parameterized query?

[source lang="php"]BlahRpt($orderby,$startdate,$enddate){$sanorderby = $this->SanitizeForSQL($orderby);$sanstartdate = $this->SanitizeForSQL($startdate);$sanenddate = $this->SanitizeForSQL($enddate);$qry = "Select * from $this->tablename WHERE `RequiredDate` >= '$sanstartdate' AND `RequiredDate` <= '$sanenddate' ORDER BY $sanorderby ASC";}[/source]


[source lang="php"]function SanitizeForSQL($str) { if( function_exists( "mysql_real_escape_string" ) ) { $ret_str = mysql_real_escape_string( $str ); } else { $ret_str = addslashes( $str ); } return $ret_str; }[/source]

#1yewbie

Posted 25 October 2012 - 05:21 PM

Use parameterized queries. Don't just concatenate strings together to make your SQL statements.


Here is what I am currently doing, does this count as a parameterized query?

[source lang="php"]BlahRpt($orderby,$startdate,$enddate){$sanorderby = $this->SanitizeForSQL($orderby); $sanstartdate = $this->SanitizeForSQL($startdate);$sanenddate = $this->SanitizeForSQL($enddate);$qry = "Select * from $this->tablename WHERE `RequiredDate` >= '$sanstartdate' AND `RequiredDate` <= '$sanenddate' ORDER BY $sanorderby ASC";}[/source]

PARTNERS